Desktop and Application Streaming

Use Azure MFA and Microsoft Network Policy Server (NPS) for multi-factor authentication with Amazon WorkSpaces

Amazon WorkSpaces offers several options to secure access to your WorkSpaces. This includes working with your Radius infrastructure to provide Multi Factor Authentication. With the deprecation of the Azure MFA server, customers wanting to leverage Azure MFA now need to deploy a Network Policy Server (NPS). Depending on the types of Tokens in use, the configuration for NPS and your AWS Directory may differ.

Overview

In this post, I walk through using an NPS server with AWS Directory Services. I also cover how to configure them for common Token types.

Prerequisites

To follow the steps in the post, you need the following:

  • An AWS environment with Amazon WorkSpaces configured
  • A Windows Server with the Network Policy and Access Services role installed
  • An AWS Directory Service Active Directory Connector
  • An Azure account with Azure AD
  • Azure AD Sync configured and working
  • Enterprise Mobility + Security or Multi-Factor Authentication standalone licenses for Azure assigned to your users
  • The NPS Extension for Azure MFA
  • The Microsoft Authenticator mobile app or physical MFA tokens for your users (SMS based codes are not supported)

In this post, I assume that you already have NPS configured to work with Azure using the NPS Extension. If you have not yet configured this, you can find details at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Walkthrough

Step 1: Gather Active Directory Connector details

  1. Browse to the Amazon WorkSpaces console https://console.aws.amazon.com/workspaces
  2. Select Directories on the Left side
  3. Expand the Directory you are configuring for Azure MFA
  4. Make note of the Directory IP address
  5. Make note of the DirectoryId

Step 2: Configure NPS clients

Now, we configure two Radius clients in NPS corresponding to the two endpoints for out AWS Directory.

  1. Connect to your NPS Server
  2. Open the Network Policy Server app from the Start Menu
  3. Expand RADIUS Clients and Servers
  4. Right click on RADIUS Clients
  5. Select New
  6. Provide a Friendly Name
  7. Enter the first IP address from Step 1 item 4
  8. Select the Generate Radio dialog to create a new shared secret
  9. Click Generate
  10. Save the generated secret somewhere
  11. Click OK

12. Repeat Steps 4 through 6 to create a second Radius client
13. Provide the second IP from Step 1 item 4
14. Paste the Shared secret from the first client

When finished, you should have two clients. One for each endpoint of your Active Directory Connector.

15. Make note of the IP address of your NPS server

Step 2a: Configure NPS Connection Request Policy

Depending on the Token type and client behavior you prefer, some changes to your NPS Connection Request Policy may be necessary. The Azure MFA NPS Extension supports the PAP protocol with all authentication methods and CHAPV2 with Phone Calls and Mobile App Verification.

It is important to note that the PAP Protocol is not encrypted. Enabling PAP in NPS results in a warning to inform you it is insecure. For this reason, when using PAP, we configure NPS to validate only the Radius request. This prevents user’s passwords from being sent insecurely. We also limit this policy to traffic from the Active Directory Connector.

Note: Using Push based tokens with NPS authentication, users will need to enter their password in both the Password and MFA fields of the WorkSpaces client. Making this change will enable them to trigger the push using any text in the MFA field.

To accomplish this, perform the following:

  1. Open the NPS Console
  2. Right Click on Policies
  3. Select New
  4. Provide a policy name
  5. Click Next
  6. Add…
  7. Select Client IPv4 Address

8. Enter the first IPv4 address from Step 1
9. Click Next
10. Select Accept users without validating credentials
11. Click Next
12. Click Next
13. Click Finish
14. Right click on the Policy you just created
15. Select Duplicate Policy
16. Double-click the new policy
17. Adjust the name as needed
18. Change to the Conditions Tab
19. Click Edit
20. Change the IP to the second Directory IP from Step 1
21. Click OK
22. Click Apply
23. Click OK

Step 3: Create a Network Policy

In this step we create a Network Policy to limit which users can leverage the NPS server. Ahead of this step, you should create an Active Directory group that contains your WorkSpaces users. I recommend using this group both to allow access to NPS and in your Azure console to assign an MFA license to the user.

  1. In the NPS Console, right click on Network Policies
  2. Select New
  3. Give the policy a Name
  4. Click Next
  5. Click Add…
  6. Select User Groups and press Add…
  7. Click Add Groups…
  8. Select any groups you want to allow access and click OK
  9. Click Ok
  10. Click Next
  11. Ensure Access Granted is selected and click Next
  12. Click Next through the remaining pages and click Finish

Step 4: Configure EC2 security groups for your Active Directory Connector

  1. Browse to the EC2 Console at https://console.aws.amazon.com/ec2/v2
  2. Under NETWORK & SECURITY, select Security Groups
  3. Enter the DirectoryId from Step 1 in the filter
  4. Of the two groups displayed, select the one with “controllers” in the name
  5. Select the Inbound Tab
  6. Click Edit
  7. Click Add Rule
  8. Select Custom UDP Rule for Type
  9. Enter 1812 for the Port range
  10. Set the Source to Custom
  11. Enter the IPv4 address of your NPS server from Step 2 part 15

Step 5: Configure your Active Directory Connector

Now that the NPS configuration is completed, we can configure our Active Directory Connector to use it as a Radius server.

  1. Go to the WorkSpaces console at https://console.aws.amazon.com/workspaces
  2. On the left side, select Directories
  3. Click the check box next to the Directory you are configuring
  4. Press the Actions button
  5. Select Update Details
  6. Expand Multi-Factor Authentication
  7. Enter the Radius server IPv4 Address from Step 3 part 15
  8. Enter the Shared secret code from Step 3 part 10
  9. Enter the Shared secret code again to confirm
  10. Set the protocol to PAP

Note: If you only plan to use push tokens, you can use MsChapv2 as the Radius protocol. For all other scenarios, you must use PAP.

11. Configure the Server timeout for 30 seconds

Note: If you intend to use Push Tokens, you may want to set a higher timeout to allow your users time to respond. You can set up to 50 seconds.

12. Set the Max retries to 1
13. Click the Update button

Conclusion

With your Network Policy Server configured as described, you can now use Azure MFA to provide an additional factor for your users.